SSRF Flaw Exposed Information From Google's Internal Network

A researcher has earned a significant bug bounty from Google after finding a serious server-side request forgery (SSRF) vulnerability that exposed information from the tech giant’s internal network.

The flaw was discovered by security engineer Enguerran Gillier in May and it took Google less than 48 hours to implement a patch. The expert earned $13,337 for his findings, which is the highest reward offered by the company for unrestricted file access issues.

Gillier identified the security hole after previously reporting a cross-site scripting (XSS) vulnerability in Google Caja, a tool that makes it safe to embed third party HTML, JavaScript and CSS code in a website.

He checked if the XSS attack he had discovered worked on Google Sites as well, which at the time used an unpatched version of Caja. After he failed to reproduce the XSS vulnerability, the expert tested for SSRF and discovered that the Google Sites Caja server was only fetching resources from Google domains.

The researcher bypassed this limitation by hosting a JavaScript file on Google Cloud services. The SSRF test resulted in a 1 Mb reply from the server, containing various pieces of private information from Google’s internal network.

Gillier reported his findings to Google, but continued conducting tests until the company rolled out a fix. While he did not manage to achieve unrestricted file access or remote code execution, the researcher did come across some interesting information from Google’s Borg, a datacenter management system that runs the company’s services.

A Borg cell includes a set of machines, a central controller named the Borgmaster, and an agent process called Borglet that runs on each machine.

Gillier made three test requests while Google was working on patching the issue and each of them led to the server responding with the status monitoring page of a Borglet. This provided the researcher various types of information, including what type of hardware powered the servers, performance data, and information on the tasks (jobs) submitted by users to Borg.

The researcher has made public some of the information he discovered. While none of the disclosed details appear to be particularly sensitive, some have questioned if he was allowed to make the information public and if he made the right choice in doing so.

“It’s not easy to determine the impact of an SSRF because it really depends on what’s in the internal network,” Gillier explained in a blog post. “Google tends to keep most of its infrastructure available internally and uses a lot of web endpoints, which means that in case of a SSRF, an attacker could potentially access hundreds if not thousands of internal web applications. On the other hand, Google heavily relies on authentication to access resources which limits the impact of a SSRF.”

“[Google] explained that while most internal resources would require authentication, they have seen in the past dev or debug handlers giving access to more than just info leaks, so they decided to reward for the maximum potential impact,” he added.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.